Follow Cognitive Times

Cognitive Analytics Can Secure OT Systems in Oil and Gas

The Internet of Things (IoT) has caused sweeping changes across nearly every industry — and oil and gas operational technology (OT) is no exception.

Recent cyberattacks have begun to fuel worry about the implications of IoT for cybersecurity, and rightly so. A changing technological landscape means old methods for securing systems may no longer work.

The problem of security in OT is still more complex.

IoT is leading to a watershed of changes in the organization of systems in the oil and gas industry, merging previously separate systems and bringing information technology (IT) and OT organizations together.

As more advancements are made to the structure of OT, security systems must evolve as well to reflect current challenges and concerns.

The static security systems of the past, consisting largely of a firewall to protect the perimeter of a network and an endpoint detection system to patrol the interior, are no longer sufficient. These measures are neither accurate nor scalable enough to protect OT systems under the new, IoT-enhanced paradigm.

The best way to fully secure OT systems is to instead protect them with dynamic solutions powered by machine learning algorithms.

The Problem of Traditional Cybersecurity

The exponential growth in the number of new devices and connections created by IoT means new potential gaps in security. Safety-critical industrial systems that used to be hidden deep behind firewalls are increasingly being exposed to outside networks that may or may not be secure.

In order to maintain the integrity of systems in this new environment, IoT adoption necessitates a change in the architecture of OT cybersecurity.

The general approach to security in OT for oil and gas is more often one of whitelisting than blacklisting — blocking all but a few permitted connections, rather than attempting to sift through all signals and weed out malicious ones.

This becomes vastly more difficult with the increase in connections and signals created by IoT.

Furthermore, malware is no longer as uniform as it once was — malicious signals are often not easily distinguishable from the benign.

A Growing Threat

As of the beginning of 2016, a full 27% of all malware variants ever created had been made during or after 2015, and it can only be assumed that this number has continued its swift growth since.

In a time when both the sheer number of signals and the variety of attacks are sharply increasing, this makes simply identifying threats a challenge, and traditional defense systems can no longer keep up.

The endpoint solutions that have been employed by oil and gas and most other industries until now are built on signature-based detection methods.

Not only are these ineffective against general attacks, they are typically only benchmarked off of a few hundred stale malware samples at best.

This is far too static a solution to keep up with the rapid evolution of malware and the recent proliferation of threats.

The Cost of Security

In fact, the annual cost per company of false positives from endpoint-based systems is already estimated at $1.3 million and 21,000 hours of time wasted on IT support — and as discussed above, the number of threats and the number of potentially vulnerable endpoints are growing rapidly.

There is simply not enough IT manpower available to continue operating in this manner. Perhaps most critically for the oil and gas industry, in order to be effective, traditional antivirus software requires massive amounts of system downtime.

Even on robust desktops and laptops, antivirus software accounts for at least 15 minutes of downtime per week. On a typical IoT controller, which would not be designed for any kind of rigorous computing, that 15 minutes becomes hours.

This is unacceptable for an industry where so much hinges on continuous, reliable production, but the only way around this with most antivirus software is to make the software so lightweight as to be completely ineffectual.

A traditional antivirus with minimized system downtime would also be an antivirus that is not robust enough to catch many or most threats.

Anomaly Detection and Machine Learning

Where traditional security measures may not be able to keep up with this new connected world, a learning solution can.

A dynamic system that is capable of learning even after it’s been deployed can scale with the vast increase in both potential vulnerabilities and types of threats.

A type of security that should be of particular use and interest to the oil and gas industry is anomaly detection, or anomalous message detection. With the advent of IoT, preventing all threats from entering a network is far less feasible than simply detecting the ones that have already made it in.

Anomaly detection is designed to monitor the behavior of endpoint devices within the network and flag any unusual behaviors or abnormal signals being sent out.

For example, a learning anomaly detection solution would recognize and flag when command signals come in from an IP address that traditionally only hosts data acquisition equipment. Such unusual behavior could be the result of malicious software.

This is a particularly efficient approach for oil and gas for a number of reasons.

Security with Ease

Most facilities have only a small staff, and therefore lack the people, time, and resources to identify anomalous behaviors or potential threats themselves — a problem only exacerbated by IoT and IT/OT convergence.

Anomaly detection is also an approach suited to securing OT systems specifically. Where IT systems may have a diverse range of signals and behaviors associated with their devices, OT systems are designed for repeatable communications.

The expected signals and behaviors of OT components are fairly well defined, making anomalies particularly uncommon — and particularly easy to identify.

Anyone can agree that anomalous behavior in OT systems is an immediate concern, regardless of the cause. Anomaly detection software is capable of picking up on anything that may be going wrong in a system, whether it’s due to malware or a mechanical failure.

If a device is working improperly, it will be flagged as a potential concern no matter the reason.

Accommodating Algorithms

Not all anomaly detection software is based on learning algorithms. It’s possible to use a rule-based approach instead, in which humans outline by hand what is and is not considered anomalous behavior — in other words, the rules of the system — and tell the software to flag any behaviors that do not fall within these predefined rules.

This is not likely to be as effective as a learning solution, however, which relies instead on generating hypotheses using multiple data sets, even those that may appear unconnected or irrelevant.

Subtler attacks may involve unusual behaviors that still fall within the normal rules of operation.

For example, a control system may suddenly tell a device that regulates valves to close a valve that is usually left open.

This is a normal type of message within a rules-based approach, sent between the correct devices for this context. But the context and timing is statistically unusual, so a security system powered by machine learning would flag this behavior where a rules-based system might not.

The Case of Stuxnet

Stuxnet is a prime example of a threat that could not be detected or predicted by most security solutions, but arguably could have been caught by a learning software.

Stuxnet is a worm that specifically targets Windows-based Step 7 software in programmable logic controllers (PLCs). It propagates between nodes and IP addresses until it finds a target that falls under this category.

Its infamous sabotage of Iran’s nuclear program was carried out by infecting these PLCs and then using them to send new orders directing centrifuges to oscillate at resonant frequency — the frequency at which the centrifuges would essentially rip themselves apart.

Even as this was occurring, Stuxnet also sent signals from the PLCs to control systems claiming that everything was running smoothly, making the worm — and the damage it had caused — more difficult to discover.

There are a number of steps in this process where a learning security solution would likely have caught Stuxnet:

First of all, a learning anomaly detection software would have identified the initial propagation of Stuxnet between nodes in the system as anomalous, and therefore potentially malicious.

Secondly, a machine learning antivirus would have recognized that a worm had found its way into the device and blocked it from executing.

Even assuming Stuxnet made it past these first two lines of defense, a learning system would still have been able to identify an anomaly in the system as soon as Stuxnet began altering the operations of the system.

The Essential Reality

Learning anomaly detection systems can operate out-of-band, meaning they do not go through PLCs to access the rest of the system. This means a learning software would be able to detect that anomalous operations were occurring, regardless of the false information being transmitted by PLCs.

It’s clear that traditional security solutions are no longer capable of properly protecting OT systems and assets. Dynamic solutions capable of learning from data over time, however, are addressing the challenges of the new security paradigm.

IoT and the integration of IT with OT are changing the face of cybersecurity for OT in oil and gas. These changes in the structure of systems — as well as the growing onslaught of new malware and zero-day attacks — require a change in the approach to cybersecurity.

As both our devices and our threats become more intelligent, so must our security systems.